diff --git a/SecureAuditor.ps1 b/SecureAuditor.ps1 index df87eb9..3c09bad 100644 --- a/SecureAuditor.ps1 +++ b/SecureAuditor.ps1 @@ -27,17 +27,23 @@ $config = Get-IniContent -file ([IO.Path]::Combine($PSScriptRoot, 'SecureAuditor # System Information Write-Output "## $($i18n.SystemInfo)`n" -$props = $config.ComputerInfo.Properties -split ',\s*' -$info = Get-ComputerInfo -Property $props -foreach ($prop in $props) { - if ($prop -eq 'OsHotFixes' -and $info.OsHotFixes.Count -gt 0) { - Write-Output "- OsHotFixes:" - foreach ($hotFix in $info.OsHotFixes) { - Write-Output " - $($hotFix.HotFixID): $($hotFix.InstalledOn) $($hotFix.Description)" + +if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + Write-Output "- $(& uname -a)" +} +else { + $props = $config.ComputerInfo.Properties -split ',\s*' + $info = Get-ComputerInfo -Property $props + foreach ($prop in $props) { + if ($prop -eq 'OsHotFixes' -and $info.OsHotFixes.Count -gt 0) { + Write-Output "- OsHotFixes:" + foreach ($hotFix in $info.OsHotFixes) { + Write-Output " - $($hotFix.HotFixID): $($hotFix.InstalledOn) $($hotFix.Description)" + } + continue; } - continue; + Write-Output "- $($prop): $($info.$prop)" } - Write-Output "- $($prop): $($info.$prop)" } # Test Rules diff --git a/SecureAuditor.psd1 b/SecureAuditor.psd1 index ed83b45..f44b833 100644 --- a/SecureAuditor.psd1 +++ b/SecureAuditor.psd1 @@ -63,7 +63,7 @@ # NestedModules = @() # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. - FunctionsToExport = @('Get-IniContent', 'IsLocalAdministrator', 'Write-CheckList', 'Write-RequireAdministrator') + FunctionsToExport = @('Get-IniContent', 'IsLocalAdministrator', 'Write-CheckList', 'Write-RequireAdministrator', 'Write-UnsupportedPlatform') # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. CmdletsToExport = @() diff --git a/SecureAuditor.psm1 b/SecureAuditor.psm1 index bc39f20..af55946 100644 --- a/SecureAuditor.psm1 +++ b/SecureAuditor.psm1 @@ -1,8 +1,9 @@ $i18n = Data { # culture="en-US" ConvertFrom-StringData @' - RequireAdministrator = Require Administrator - SkipRule = Skip rule + RequireAdministrator = Require Administrator + SkipRule = Skip rule + UnsupportedPlatform = Unsupported Platform '@ } @@ -49,6 +50,10 @@ function Write-RequireAdministrator($ruleName) { Write-Host "`n> $($i18n.SkipRule): $($ruleName) ($($i18n.RequireAdministrator)) ..." } +function Write-UnsupportedPlatform($ruleName) { + Write-Host "`n> $($i18n.SkipRule): $($ruleName) ($($i18n.UnsupportedPlatform)) ..." +} + function Write-CheckList([bool]$pass, [string]$item) { Write-Output "- [$(if($pass) {'x'} else {' '})] $($item)" } diff --git a/rules/Antivirus.psm1 b/rules/Antivirus.psm1 index 0e45426..22aa0bf 100644 --- a/rules/Antivirus.psm1 +++ b/rules/Antivirus.psm1 @@ -12,6 +12,11 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + Write-UnsupportedPlatform($ruleName) + return + } $osInfo = Get-CimInstance -ClassName Win32_OperatingSystem if ($osInfo.ProductType -ne 1) { # Windows Server diff --git a/rules/DefaultAccount.psm1 b/rules/DefaultAccount.psm1 index 70f539d..b1de587 100644 --- a/rules/DefaultAccount.psm1 +++ b/rules/DefaultAccount.psm1 @@ -12,6 +12,11 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + Write-UnsupportedPlatform($ruleName) + return + } Write-Output "`n## $($i18n.DefaultAccount)`n" $userNames = $config.DefaultAccount.LocalUserNames -split ',\s*' foreach ($userName in $userNames) { diff --git a/rules/DiskSpace.psm1 b/rules/DiskSpace.psm1 index 5fa85d1..4483ab9 100644 --- a/rules/DiskSpace.psm1 +++ b/rules/DiskSpace.psm1 @@ -13,6 +13,11 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + Write-UnsupportedPlatform($ruleName) + return + } Write-Output "`n## $($i18n.DiskSpace)`n" # https://learn.microsoft.com/windows/win32/cimwin32prov/win32-logicaldisk $logicalDisks = Get-CimInstance -Query "SELECT * FROM Win32_LogicalDisk Where Size > 0" diff --git a/rules/EventLogs.psm1 b/rules/EventLogs.psm1 index 17794c9..bd9525f 100644 --- a/rules/EventLogs.psm1 +++ b/rules/EventLogs.psm1 @@ -16,8 +16,12 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + Write-UnsupportedPlatform($ruleName) + return + } if (-not (IsLocalAdministrator)) { - $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) Write-RequireAdministrator($ruleName) return } @@ -25,7 +29,7 @@ function Test($config) { $levels = $config.EventLogs.Levels -split ',\s*' | ForEach-Object { [int]::Parse($_) } $days = [int]::Parse($config.EventLogs.Days) * -1 # https://learn.microsoft.com/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable - $events = Get-WinEvent -FilterHashtable @{ + $events = Get-WinEvent -FilterHashtable @{ LogName = $logNames Level = $levels StartTime = (Get-Date).AddDays($days) diff --git a/rules/IdleAccount.psm1 b/rules/IdleAccount.psm1 index 89b02ad..883f41d 100644 --- a/rules/IdleAccount.psm1 +++ b/rules/IdleAccount.psm1 @@ -11,6 +11,11 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + Write-UnsupportedPlatform($ruleName) + return + } $days = [int]::Parse($config.IdleAccount.Days) * -1 $idleCheckpoint = (get-date).AddDays($days) # https://learn.microsoft.com/powershell/module/microsoft.powershell.localaccounts/get-localuser diff --git a/rules/Login.psm1 b/rules/Login.psm1 index cdc08f7..51edc66 100644 --- a/rules/Login.psm1 +++ b/rules/Login.psm1 @@ -13,14 +13,18 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + Write-UnsupportedPlatform($ruleName) + return + } if (-not (IsLocalAdministrator)) { - $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) Write-RequireAdministrator($ruleName) return } $days = [int]::Parse($config.Login.Days) * -1 # https://learn.microsoft.com/windows/security/threat-protection/auditing/basic-audit-logon-events - $events = Get-WinEvent -FilterHashtable @{ + $events = Get-WinEvent -FilterHashtable @{ LogName = 'Security' Id = 4624, 4625 StartTime = (Get-Date).AddDays($days) diff --git a/rules/NetworkTimeSync.psm1 b/rules/NetworkTimeSync.psm1 index d0de8c4..b3f8d45 100644 --- a/rules/NetworkTimeSync.psm1 +++ b/rules/NetworkTimeSync.psm1 @@ -11,6 +11,11 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + Write-UnsupportedPlatform($ruleName) + return + } Write-Output "`n## $($i18n.NetworkTimeSync)`n" # https://learn.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings $pinfo = New-Object System.Diagnostics.ProcessStartInfo diff --git a/rules/PasswordExpires.psm1 b/rules/PasswordExpires.psm1 index e9aa6dc..d6c9f39 100644 --- a/rules/PasswordExpires.psm1 +++ b/rules/PasswordExpires.psm1 @@ -11,6 +11,11 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + Write-UnsupportedPlatform($ruleName) + return + } # https://learn.microsoft.com/powershell/module/microsoft.powershell.localaccounts/get-localuser $users = Get-LocalUser | Where-Object { $_.Enabled -and $null -eq $_.PasswordExpires } $exclude = $config.PasswordExpires.Exclude; diff --git a/rules/PasswordPolicy.psm1 b/rules/PasswordPolicy.psm1 index 41c1bcf..6b5bef1 100644 --- a/rules/PasswordPolicy.psm1 +++ b/rules/PasswordPolicy.psm1 @@ -14,8 +14,12 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + Write-UnsupportedPlatform($ruleName) + return + } if (-not (IsLocalAdministrator)) { - $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) Write-RequireAdministrator($ruleName) return } diff --git a/rules/PendingUpdates.psm1 b/rules/PendingUpdates.psm1 index 65a14a1..88473a4 100644 --- a/rules/PendingUpdates.psm1 +++ b/rules/PendingUpdates.psm1 @@ -11,6 +11,11 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + Write-UnsupportedPlatform($ruleName) + return + } $updateSession = New-Object -ComObject Microsoft.Update.Session $updateSession.ClientApplicationID = 'Windows Secure Auditor' $updateSearcher = $updateSession.CreateUpdateSearcher() diff --git a/rules/Shutdown.psm1 b/rules/Shutdown.psm1 index 95a11a7..80aebcf 100644 --- a/rules/Shutdown.psm1 +++ b/rules/Shutdown.psm1 @@ -10,15 +10,19 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + Write-UnsupportedPlatform($ruleName) + return + } if (-not (IsLocalAdministrator)) { - $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) Write-RequireAdministrator($ruleName) return } $days = [int]::Parse($config.Shutdown.Days) * -1 $maxEvents = [int]::Parse($config.Shutdown.MaxEvents) # https://learn.microsoft.com/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable - $events = Get-WinEvent -FilterHashtable @{ + $events = Get-WinEvent -FilterHashtable @{ LogName = 'System' Id = 41, 1074, 1076, 6008 StartTime = (get-date).AddDays($days) diff --git a/rules/SoftwareInstallation.psm1 b/rules/SoftwareInstallation.psm1 index 946bebf..b3c9d73 100644 --- a/rules/SoftwareInstallation.psm1 +++ b/rules/SoftwareInstallation.psm1 @@ -10,15 +10,19 @@ if ($PSUICulture -ne 'en-US') { } function Test($config) { + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + Write-UnsupportedPlatform($ruleName) + return + } if (-not (IsLocalAdministrator)) { - $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) Write-RequireAdministrator($ruleName) return } $days = [int]::Parse($config.SoftwareInstallation.Days) * -1 $maxEvents = [int]::Parse($config.SoftwareInstallation.MaxEvents) # https://learn.microsoft.com/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable - $events = Get-WinEvent -FilterHashtable @{ + $events = Get-WinEvent -FilterHashtable @{ LogName = 'Application' Id = 11707, 11724 StartTime = (get-date).AddDays($days) diff --git a/rules/UserAccountManagement.psm1 b/rules/UserAccountManagement.psm1 index ebb9f77..1e59e1d 100644 --- a/rules/UserAccountManagement.psm1 +++ b/rules/UserAccountManagement.psm1 @@ -1,6 +1,6 @@ $i18n = Data { - # culture="en-US" - ConvertFrom-StringData @' + # culture="en-US" + ConvertFrom-StringData @' Create = create Delete = delete UserAccountManagement = User Account Management @@ -8,36 +8,40 @@ } if ($PSUICulture -ne 'en-US') { - Import-LocalizedData -BindingVariable i18n + Import-LocalizedData -BindingVariable i18n } function Test($config) { - if (-not (IsLocalAdministrator)) { - $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) - Write-RequireAdministrator($ruleName) - return - } - $days = [int]::Parse($config.UserAccountManagement.Days) * -1 - # https://learn.microsoft.com/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable - $events = Get-WinEvent -FilterHashtable @{ - LogName = 'Security' - Id = 4720, 4726 - StartTime = (get-date).AddDays($days) - } -ErrorAction SilentlyContinue - if ($events.Count -eq 0) { - return - } - Write-Output "`n## $($i18n.UserAccountManagement)`n" - foreach ($event in $events) { - $username = $event.Properties[0].Value - $actor = $event.Properties[4].Value - # https://learn.microsoft.com/windows/security/threat-protection/auditing/event-4720 - if ($event.Id -eq 4720) { - Write-Output ("- {0:yyyy-MM-dd'T'HH:mm:ssK} | ``$($actor)`` $($i18n.Create) ``$($username)``" -f $event.TimeCreated) - } - # https://learn.microsoft.com/windows/security/threat-protection/auditing/event-4726 - elseif ($event.Id -eq 4726) { - Write-Output ("- {0:yyyy-MM-dd'T'HH:mm:ssK} | ``$($actor)`` $($i18n.Delete) ``$($username)``" -f $event.TimeCreated) - } - } + $ruleName = [System.IO.Path]::GetFileNameWithoutExtension($PSCommandPath) + if ($PSVersionTable.PSEdition -eq 'Core' -and $PSVersionTable.Platform -ne 'Win32NT') { + Write-UnsupportedPlatform($ruleName) + return + } + if (-not (IsLocalAdministrator)) { + Write-RequireAdministrator($ruleName) + return + } + $days = [int]::Parse($config.UserAccountManagement.Days) * -1 + # https://learn.microsoft.com/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable + $events = Get-WinEvent -FilterHashtable @{ + LogName = 'Security' + Id = 4720, 4726 + StartTime = (get-date).AddDays($days) + } -ErrorAction SilentlyContinue + if ($events.Count -eq 0) { + return + } + Write-Output "`n## $($i18n.UserAccountManagement)`n" + foreach ($event in $events) { + $username = $event.Properties[0].Value + $actor = $event.Properties[4].Value + # https://learn.microsoft.com/windows/security/threat-protection/auditing/event-4720 + if ($event.Id -eq 4720) { + Write-Output ("- {0:yyyy-MM-dd'T'HH:mm:ssK} | ``$($actor)`` $($i18n.Create) ``$($username)``" -f $event.TimeCreated) + } + # https://learn.microsoft.com/windows/security/threat-protection/auditing/event-4726 + elseif ($event.Id -eq 4726) { + Write-Output ("- {0:yyyy-MM-dd'T'HH:mm:ssK} | ``$($actor)`` $($i18n.Delete) ``$($username)``" -f $event.TimeCreated) + } + } } diff --git a/zh-TW/SecureAuditor.psd1 b/zh-TW/SecureAuditor.psd1 index 791097b..9e1c9e9 100644 --- a/zh-TW/SecureAuditor.psd1 +++ b/zh-TW/SecureAuditor.psd1 @@ -1,7 +1,8 @@ # culture="zh-TW" ConvertFrom-StringData -StringData @' +Error = 錯誤 RequireAdministrator = 需要管理者權限 SkipRule = 略過規則 SystemInfo = 系統資訊 -Error = 錯誤 +UnsupportedPlatform = 不支援的作業系統 '@